Closed Bug 982754 Opened 10 years ago Closed 10 years ago

Some self-signed certificates incorrectly trigger SEC_ERROR_INADEQUATE_KEY_USAGE

Categories

(Core :: Security: PSM, defect)

Product:
Core
Component:
Security: PSM
Version:
30 Branch
Platform:
x86
All
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla31
Tracking Flags:
Tracking Status
firefox29 --- unaffected
firefox30 + fixed
firefox31 --- fixed
b2g-v1.4 --- fixed
b2g-v2.0 --- fixed

People

(Reporter: bob, Assigned: keeler)

References

Details

(Keywords: regression)

Attachments

(1 file)

patch
45.31 KB, patch
cviecco
: review+
lsblakk
: approval-mozilla-aurora+
Details | Diff | Splinter Review 
Self-signed certificates used for https Web Server Authentication that don't have certificate signing key usage are rejected with SEC_ERROR_INADEQUATE_KEY_USAGE.
It is a problem because you can't override SEC_ERROR_INADEQUATE_KEY_USAGE with an exception, and some testing environment use those kind of self-signed certificate. For example, all self-signed certificates generated by IIS (Microsoft web server) have this pattern.
Moreover, self-certificates used for https will never be used as a CA root, so that doesn't really make sense to give them the certificate signing key usage.
It seems like we need to revert the changes we made in bug 975122 for SEC_ERROR_INADEQUATE_KEY_USAGE in classic mode.

This means we also probably need to change the order in which things are checked in insanity::pkix, so that the issuer-independent properties of end-entity certificates are checked after the cert chain is built and before revocation checking is done.
Component: Security → Security: PSM
Product: Firefox → Core
Target Milestone: --- → mozilla30
Status: UNCONFIRMED → NEW
Ever confirmed: true
Attached patch patchSplinter Review 
Brian - let me know what you think of this. It allows the override specific to the situation in bug 978797 for classic verification but doesn't change anything about insanity::pkix verification. (This has the side-effect of allowing any inadequate key usage overrides for classic verification.)
Assignee: nobody → dkeeler
Status: NEW → ASSIGNED
Attachment #8390906 - Flags: review?(brian)
Comment on attachment 8390906 [details] [diff] [review]
patch

Review of attachment 8390906 [details] [diff] [review]:
-----------------------------------------------------------------

Hi, I want to concentrate my contributions on the insanity::pkix-related stuff for the immediate future. Please have Camilo review this.
Attachment #8390906 - Flags: review?(brian) → review?(cviecco)
Attachment #8390906 - Flags: review?(cviecco) → review+
https://hg.mozilla.org/mozilla-central/rev/5854254a309d
Status: ASSIGNED → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
https://e-shop.pcshop.ua/Catalog.aspx  don`t work with latest nightly build 31, I downloaded the latest version today
firefox-31.0a1.en-US.win64-x86_64.zip	18-Mar-2014 11:56 works very well!!!
31.0a1 (2014-03-18) validated against self-signed certs created by IBM Power Systems Hardware Management Consoles.  Thanks team!
Is it supposed to be uplifted on Aurora? And looks like Target Milestone: should be set to mozilla31. This patch has landed after version bump.
(In reply to Alexander L. Slovesnik from comment #9)
> Is it supposed to be uplifted on Aurora? And looks like Target Milestone:
> should be set to mozilla31. This patch has landed after version bump

Right - this landed in 31. I don't think there are plans to uplift at the moment.
Target Milestone: mozilla30 → mozilla31
(In reply to David Keeler (:keeler) from comment #10)
> (In reply to Alexander L. Slovesnik from comment #9)
> > Is it supposed to be uplifted on Aurora? And looks like Target Milestone:
> > should be set to mozilla31. This patch has landed after version bump
> 
> Right - this landed in 31. I don't think there are plans to uplift at the
> moment.

We need to uplift this through Firefox 29 beta. Otherwise there wasn't any point in doing it.
status-firefox29: --- → affected
status-firefox30: --- → affected
status-firefox31: --- → fixed
tracking-firefox29: --- → ?
tracking-firefox30: --- → ?
Flags: needinfo?(dkeeler)
Keywords: regression
My understanding is bug 975122 caused this, which landed on 30 and wasn't uplifted.
Blocks: 975122
status-firefox29: affectedunaffected
tracking-firefox29: ? → ---
Flags: needinfo?(dkeeler)
Comment on attachment 8390906 [details] [diff] [review]
patch

[Approval Request Comment]
Bug caused by (feature/regressing bug #): bug 975122
User impact if declined: inability to add certificate overrides in some cases
Testing completed (on m-c, etc.): landed on m-c, has automated tests
Risk to taking this patch (and alternatives if risky): low
String or IDL/UUID changes made by this patch: none
Attachment #8390906 - Flags: approval-mozilla-aurora?
Attachment #8390906 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
Still affecting FF31.0a1 (2014-04-03) for self signed cert that was working up until a few days ago.
Cam, can you file a new bug (basically, you can clone this one) with either a public-facing URL or a copy of a certificate that has this issue? Thanks.
Flags: needinfo?(camden.narzt)
(In reply to David Keeler (:keeler) from comment #16)
> Cam, can you file a new bug (basically, you can clone this one) with either
> a public-facing URL or a copy of a certificate that has this issue? Thanks.

Done.
Flags: needinfo?(camden.narzt)
I got the bug on https://cloud.turmel.info/ I can't get the cert.
For turmel.info the certificate presented is self signed with a basic constriaints extension with an explicit cA Boolean (is CA) set to true. We are no longer accepting CA certificates to be valid end-entity certificates. 

Here is the pem:
-----BEGIN CERTIFICATE-----
MIID8TCCAtmgAwIBAgIJAM0VcQK2/CbvMA0GCSqGSIb3DQEBBQUAMIGOMQwwCgYD
VQQIDANOL0ExCzAJBgNVBAYTAkZSMRYwFAYDVQQDDA1ncnVtcGZmZi5pbmZvMRcw
FQYDVQQKDA5SYXlzYSBOZXR3b3JrczEgMB4GCSqGSIb3DQEJARYRcmF5LWNvbUBy
YXlzYS5vcmcxHjAcBgNVBAcMFUxlIE1lc25pbCBTYWludCBEZW5pczAeFw0xMzA5
MTUxNzE2NDJaFw0xNDA5MTUxNzE2NDJaMIGOMQwwCgYDVQQIDANOL0ExCzAJBgNV
BAYTAkZSMRYwFAYDVQQDDA1ncnVtcGZmZi5pbmZvMRcwFQYDVQQKDA5SYXlzYSBO
ZXR3b3JrczEgMB4GCSqGSIb3DQEJARYRcmF5LWNvbUByYXlzYS5vcmcxHjAcBgNV
BAcMFUxlIE1lc25pbCBTYWludCBEZW5pczCCASIwDQYJKoZIhvcNAQEBBQADggEP
ADCCAQoCggEBAJvmJUNMOXdRnj2TZ1rrovHcTy0BL24iegDe8HtwICIMzTioNvYi
I81E0F/kLlyEJo/bbBtvY3Ypy1xsJKMgfT6jZ2QoyPVCG1Kz5k7PAaHHqfBsLlTn
e69C5ok5zlfZzjC9YFENKGfEB/pAcKl7IMQmf4B1VIw5OhV+pQuIOO8we1ne34A/
Xm+9HeQAUznOo9h4J5YHF2Tt+YDMppj0YLR6MOnC1ADnEt1s88jtNLXWYg2ZdmFq
nIVpW/k32B0tBoRwx3KuOojrr81gG+OnKacOVzfHl0Zby7nrKlb4zlF2R/ubhyY6
M9DyEjsPUjUY5P8lIMIcDWJk9IqYF1Rnc1ECAwEAAaNQME4wHQYDVR0OBBYEFJNt
7G+3d9MeH8wmeJlW9ygEteq8MB8GA1UdIwQYMBaAFJNt7G+3d9MeH8wmeJlW9ygE
teq8MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAFcFnu25BoLYlTTc
bk2oFqmGpCMf7UPNSurSXQ73xCvU3mDyp1+nnpTbFuuiGgx/eDXtdMH4ukzZWOAi
+HxDhaTfDY1LxGlmrvI74hYunNWPEpG/6Ury+My7ZLBScSNVYjzne4Yk3TtqBzop
WNLRzgIVn/Se4ZW9PN/tGaYvJDgRMNo0WdLR/BACgpAlZYtd86YomtSWfRKYmFi+
NM1hXXZAvxyQTX4nVs5JUPbri1Bik6pjZYvTEzhOyRO1GSgo2Kf/e6EPgpWunShp
//p9Ig0tAbC9HL9zHnjUGFR/FnRcrJxe6WdbNlHrOMtt9mOAlE6VaZ75S/9dlNAU
l0lAPhs=
-----END CERTIFICATE-----
I am having the same issue using Microsoft Family Safety. Family Safety has it's own CA which it uses to created self-signed copies of the actual certificates used. So when you visit https://www.google.com for example, the certificates appears to be signed by the Family Safety CA, rather than the actual CA used by google.com.

Since FF30 has this problem with IIS certificates and Family Safety uses one of these "problem" certificates, the end result is that all FF30 users who use Family Safety are no longer able to access HTTPS website.
I wonder if this issue relates to another SSL issue I am having with FF30.

https://bugzilla.mozilla.org/show_bug.cgi?id=1021515
Flags: in-testsuite+
Please clean-up/remove associated CA certificate and/or certificate from certificate store. 
Using "Advanced -> Certificates -> View Certificates ..."
As the feature" is still present in Firefox ESR 31.3.0, I feel I have to comment:

(In reply to Sébastien Desvignes from comment #0)
> It is a problem because you can't override SEC_ERROR_INADEQUATE_KEY_USAGE

That's the most essential point of it: You may enhance the security whatever way you like, but give users a chance to override the new restrictions. In my case I'm using a commercial product that includes it's own web server and certificate generated during installation. While it's possible to replace the standard certificate, the user may have priority on using his product over having better security, especially when working in an intranet anyway...
To complete my comment #23: And the explanation presented to the user in case of this error does not provide enough information (specifically the option to view the rejected certificate is missing) for an IT professional to find out what Firefox is actually complaining about (details, please!)
Ulrich, this was fixed in 30, so ESR 31 shouldn't be having a problem with this. Please file a new bug with the error code you're seeing and steps to reproduce. In particular, a copy of the public part of the certificate the server is sending will be helpful. Thanks.
(In reply to David Keeler (:keeler) [use needinfo?] from comment #25)
> (...) Please file a new bug ...
Done: bug 1113506
Blocks: 1113506

New problem with this error: see #1590217

Flags: needinfo?(dkeeler)

Responded in that bug.

Flags: needinfo?(dkeeler)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: